Modifying attributes to release in post-authentication intercept

Robert A Basch rbasch at mit.edu
Wed Jan 26 22:44:57 UTC 2022 

Hi.

We have a requirement to present a post-authentication page on our
IdP for a particular (cloud) SP, displaying a list of values from
which the user can select one to replace the value of an attribute
to assert, i.e. replacing the (already resolved) normal value of the
attribute. The user would also have the option of simply proceeding
normally. In the case where they select a replacement attribute value,
we would also want to remove most, or perhaps all, of the other
attributes normally released to the SP.

This is pretty similar to the impersonation case, and I have used
the impersonation code as a guide for creating an intercept for
our case, but I am unclear as to how to replace the attribute value
properly, and remove the other attributes, or at least prevent
them from being released. I have tested getting the IdPAttribute
from the AttributeContext, and calling the SetValues() method
(attributeContext.getIdPAttributes().get(<ID>).setValues(...)) to
change its value; this does change the value, but I am not confident
it is the proper way to do this. I can also call setValues() to
set null values for the unwanted attributes, but I cannot call
remove(), to remove the attribute from the attributes Map, as the
Map is immutable. I have also tried replacing the Map entirely,
which seems like the best approach here, but that resulted in no
attributes being asserted. So there seems to be	something I am
missing.

Are there any examples someone could point me at demonstrating how
to do this properly, or	any guidance as	to how to do it?

Also, I have looked for guidance at the	"ProfileHandling" wiki page:

https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631868/ProfileHandling

But the box in the "Post-Authentication Intercept Contract" section,
which is apparently supposed to show "some important child contexts",
does not appear; it just says "Error". (The IDP30 page has the same
problem). If that section should show the information I would need to
properly modify the attributes to release as indicated above, please
feel free simply to refer me to a corrected version of the page, or
an alternative source.

Thanks,
Bob


Robert Basch
MIT IS&T

More information about the users mailing list